Polymorphic security policy action

ABSTRACT

In one embodiment, a method of improving the security of a computing device comprises using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: using the computing device and pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; using the computing device, acting upon the one or more messages using the particular policy action; wherein the method is performed using one or more computing devices.

PRIORITY CLAIM

This application claims the benefit as a Continuation of application Ser. No. 14/338,207, filed Jul. 22, 2014, the entire contents of which are hereby incorporated by reference for all purposes as if fully set forth herein. The applicant(s) hereby rescind any disclaimer of claim scope in the parent applications or the prosecution history thereof and advise the USPTO that the claims in this application may be broader than any claim in the parent application(s).

FIELD OF THE DISCLOSURE

The present disclosure generally relates to network security technology in devices such as firewalls and security gateways. The disclosure relates more specifically to techniques for use in network security devices in response to detecting attacks or other unauthorized traffic.

BACKGROUND

The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.

Malicious users of computer networks commonly use network reconnaissance as the first stage of advanced attacks. Attackers use reconnaissance tools from multiple layers of the Open Systems Interconnect (OSI) network model to gather information on target networks and systems. The gathered information can be analyzed together with known vulnerabilities to gain access to secure networks and computers. The success rate of subsequent attacks largely depends on the accuracy and stability of the reconnaissance results.

Security products such as firewalls and intrusion prevention systems are deployed logically in front of target systems, such as application server computers, to actively prevent malicious attacks. The security policies on these products are designed and updated by IT administrators. While providing designed protection to the target systems, these security policies generate deterministic actions on a given set of incoming network traffic. Attackers may exploit the deterministic nature of the policy actions to figure out what are already prevented and what are still vulnerable. The attackers can then use this information to develop evasion techniques and eventually penetrate the security products.

SUMMARY

The appended claims may serve as a summary of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 illustrates an example computer system including a computer security device that is configured to implement an embodiment.

FIG. 2 illustrates an example process of responding using polymorphism to network attacks.

FIG. 3 illustrates a second example process of responding using polymorphism to network attacks.

FIG. 4 illustrates a computer system which may be used to implement certain embodiments.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention. Embodiments are described according to the following outline:

1. Overview

2. Example Polymorphic Security System

3. Example Polymorphic Security Methods

-   -   3.1 Pseudo-random selection of policy actions     -   3.2 Coexistence of regular and polymorphic policy actions     -   3.3 Scheduled polymorphic policy actions     -   3.4 Implementation and applicability

4. Implementation Mechanisms—Hardware Overview

1. Overview

In one aspect, a method of improving the security of a computing device comprises using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: using the computing device and pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; using the computing device, acting upon the one or more messages using the particular policy action; wherein the method is performed using one or more computing devices.

In this context, “pseudo-random” may refer to processes that appear to be random but are not strictly random. For example, software processes may be used that exhibit statistical randomness while being generated using techniques that technically are deterministic and reproducible. Pseudo-random processes typically are easier to implement. In some embodiments, truly random processes may be used, based upon hardware random number generators, function calls to random number generators in operating systems, measurements of voltage or user input devices, and similar techniques.

Further, in this context, “message” is used for convenience to refer broadly to any set of one or more frames, packets, segments, or other data directed to the computing device. For example, a message may be a TCP segment, a probe packet, an HTTP request carried in one or more packets, an application-layer message in one or more packets, or any other data that is directed to the computing device.

In one feature, the plurality of different policy actions comprises any two or more of: pass, drop request, drop request and close connection, redirect to an error page, inject cookie, block network address, block application user, whitelist network address, blacklist network address. In another feature, the plurality of data values comprises any two or more of: system time on the computing device; system load on the computing device; attack severity level; source network address.

In an embodiment, the method further comprises performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data. In yet another feature, the state data values comprise one or more attributes of the one or more messages, and one or more operating values indicating operating characteristics of the computing device. In some embodiments, the method comprises using hash value generating logic, generating a hash value that is based upon the state data values; using the pseudo-random selection logic, using the hash value as an index into a list of stored different policy actions, pseudo-randomly selecting a particular policy action from among the plurality of policy actions.

In another embodiment, the method further comprises determining that the state data values match a particular policy rule from among a plurality of different policy rules; determining that the particular policy rule is marked for polymorphic treatment; using the pseudo-random selection logic, performing the pseudo-randomly selecting using a particular policy action that corresponds to the particular policy rule and a second particular policy action. In another embodiment, the method comprises performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment. In another embodiment, the method comprises performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data; performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment.

In another aspect, an electronic digital network security device comprises one or more processors; one or more first network interfaces that are configured to couple to a client computer; one or more second network interfaces that are coupled to a server computer that the security device is configured to protect from attack; one or more non-transitory computer-readable storage media coupled to the one or more processors and storing one or more sequences of instructions which when executed by the one or more processors cause performing: receiving one or more messages that are determined as unauthorized; obtaining a plurality of state data values from one or more of the security device, the one or more messages, and a second computer; before providing the one or more messages to the server computer: using pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; acting upon the one or more messages using the particular policy action.

Embodiments are configured to introduce polymorphism into security policy actions. For example, using polymorphic policy actions, a security device may be configured to enforce policy actions in a randomized or pseudo-randomized way. In one embodiment, for the same set of network attack traffic, depending on the current time, the application user and one or more other relevant input data values, the security device may perform different actions on messages that have been identified as relating to an attack. Example actions include drop, pass, redirect, and block network address. In an embodiment, the randomization or pseudo-random responses occur without the need for administrators to manually update policy data in the security device. Using the polymorphic policy actions to respond to messages associated with attacks, the security device externally appears unpredictable to attackers, and inferring target vulnerabilities from the reconnaissance results becomes far more difficult. Therefore, embodiments offer the benefit of dramatically increasing the cost, to an attacker, of network reconnaissance and reverse engineering.

In various embodiments, polymorphic policy actions also may be performed using a schedule, in which particular policy actions are linked to a particular time window. In addition to confusing attackers, using scheduled polymorphic policy action also provides administrators a more flexible way of selectively and programmatically enabling security policy rules.

2. Example Polymorphic Security System

FIG. 1 illustrates an example computer system including a computer security device that is configured to implement an embodiment. In the example of FIG. 1, a client computer 102 is coupled directly or indirectly through one or more local networks, wide area networks or internetworks to a network 104 that includes a security device 106 and a server computer 120. Typically security device 106 is a special-purpose computer that may perform inspection tasks and act upon incoming packets, segments, messages or flows based upon stored policy; in some cases the security device also performs routing and/or switching functions. Embodiments may be implemented using any security device 106 that actively prevents attacks based upon configurable security policy and configured to evaluate and act on frames, packets, segments or messages at layer 3, 4, 5, 6 or 7 of the Open Systems Interconnect (OSI) internetworking model. Examples of security device 106 include network firewalls, intrusion prevention systems, unified threat management systems, web application firewalls, the SHAPESHIFTER botwall commercially available from Shape Security, Inc., Mountain View, Calif., and others.

As seen in FIG. 1, the security device 106 is deployed logically between the client computer 102 or other network client, such as a browser at a network end station, and the server computer 120 or other target such as a website or web application server. In this configuration, the security device 106 is arranged to inspect traffic between the client computer 102 and server computer 120. In one embodiment, messages originated at client computer 102 and directed toward server computer 120 are received at an ingress interface 105 and provided to processing logic within the security device 106; if a decision is made to pass through the messages, then the messages are moved to egress interface 122, which is coupled to server computer 120.

In an embodiment, security device 106 comprises policy selection logic 110 coupled to message processing policies 112, pseudo-random generator 114, state data collection logic 116, policy enforcement logic 118, scheduling logic 124, and logging logic 126 which may be coupled to data storage 130. The logical elements shown in FIG. 1 may be implemented using special-purpose circuits such as ASICs or FPGAs, or may be implemented using firmware, one or more computer programs or other software elements hosted using operating system 108.

In an embodiment, policy selection logic 110 is configured to select from among the message processing policies 112 and to provide a selected policy to policy enforcement logic 118 for use in taking action on messages received on ingress interface 105. For example, when an attack is identified, the security device 106 takes an action based on configurable security policy. In an embodiment, state data collection logic 116 is configured to determine one or more state data values at the time that messages are received for use as a basis of generating, pseudo-randomly, an index value into the message processing policies 112 or to pseudo-randomly directly select one of the message processing policies for use. Particular techniques for determining the state data values and the index value or other selection are further described herein.

In an embodiment, the scheduling logic 124 is configured to determine whether a particular scheduled time period is configured in association with the message processing policies 112 and to trigger the enforcement of a particular policy only within the time period associated with that particular policy. Particular techniques for doing so are further described herein.

In an embodiment, the logging logic 126 is configured to store log records representing one or more of the received messages, selected policies, and data relating to enforcement in records in data storage 130. For example, a record may specify a message flow using a five-tuple of TCP/IP header values (source address, destination address, source port, destination port, protocol identifier) in association with a policy identifier and a selected enforcement action.

In an embodiment, message processing policies 112 may be created and maintained by IT administrators. Policies 112 may specify, for any particular kind of message, whether that type of message is unauthorized. In other words, a message is unauthorized and subject to pseudo-random processing as described herein based upon definitions in policies 112, rather than based upon the inherent type, nature or structure of the message. Typically a security policy comprises a security operation and a security policy action. The security operation defines a set of detection and prevention procedures that the security device 106 applies on the incoming and outgoing traffic. The security policy action defines the procedure to follow once an attack is identified by the security operation. The security policy actions may apply on different OSI layers. Example actions include:

-   -   Pass, aka “no action”;     -   Silently perform passive action such as writing a log record;     -   Drop request (layer 3);     -   Drop request and close connection (layer 4);     -   Redirect client to an error page (layer 7);     -   Redirect client to a CAPTCHA page (layer 7);     -   Inject application cookie to inspect client's future requests         (layer 7);     -   Perform other injection techniques at layers lower than layer 7;     -   Block client IP address (layer 3);     -   Block application user (layer 7);     -   Blacklist client IP address (layer 3).

Injection techniques at layers lower than layer 7 may include, for example, injecting fields within the network payload that are known to be returned unmodified or modified in a predictable way by the recipient.

Various embodiments may use various subsets of the preceding list of actions. Embodiments may select and use only a set of the preceding actions that is appropriate for network 104 based upon policy, security requirements, or other factors. For example, passing through messages that are known to represent an attack vector may be impermissible and excluded from the list.

3. Example Polymorphic Security Methods

3.1 Pseudo-Random Selection of Policy Actions

In some environments, a malicious user of the client computer 102 may use one or more network reconnaissance tools that view the security device 106 and target server computer 120 as one single entity. Attackers use the network reconnaissance tools to send large amounts of probing requests to the target security device 106. Some requests may be identified by the security device 106 and dropped. Some requests may penetrate the security device 106 and reach the target server computer 120. Attackers may exploit their knowledge of whether a reconnaissance request obtains a successful response from the server computer 120. By correlating the responses with known vulnerabilities, the attackers may develop potential evasion and exploitation techniques. For example, attackers may be able to determine what services are available in a network and/or whether particular ports are open. The network reconnaissance tools also may operate on different OSI layers; examples include: Port scanner (layer 4); Network enumerator (layer 3-7); Network vulnerability scanner (layer 3-7); Web application security scanner (layer 7).

In various embodiments, data processing methods as described herein may be used in a network security device to make the security device's behavior unpredictable to attackers. With polymorphic security policy actions, the security device 106 no longer takes deterministic actions on identified attack requests, as specified in the configured security policy. Instead, the responsive action performed by the security device 106 in response to a particular kind of attack, or a particular kind of input data associated with messages or requests from the client computer 102, may vary pseudo-randomly over time. As a result, to the client computer 102, the responsive action of the security device and/or server computer 120 may be indistinguishable from random behavior. Therefore, it may be impossible, or at least far more difficult, for an attacker to determine what attack mechanism, messages, vectors, or data to use in an attempt to attack the security device 106, server computer 120, or other elements of a protected network.

FIG. 2 illustrates an example process of responding using polymorphism to network attacks. FIG. 3 illustrates a second example process of responding using polymorphism to network attacks. For purposes of illustrating clear examples, FIG. 2, FIG. 3 are described herein with reference to the example system of FIG. 1. However, other embodiments of FIG. 2, FIG. 3 may be implemented using other network arrangements or using network security devices that have arrangements different than shown in FIG. 1.

Referring first to FIG. 2, in one embodiment, at block 202, the process receives one or more messages that have been determined as unauthorized or to represent attacks. For example, client computer 102 sends a plurality of messages toward server computer 120, and the messages are intercepted by security device 106 via ingress interface 105. The security device 106 may include attack detection logic, not shown in FIG. 1, which determines that the messages are unauthorized. For example, the messages may represent an attack on network 104 or server computer 120. In general, the determination of whether or not a set of packets, segments, messages or other data arriving on ingress interface 105 is unauthorized, is orthogonal to the approaches described herein and is not described in detail for the reason that any appropriate technique may be used.

Moreover, in some embodiments, block 202 may involve the security device 106 receiving from another computer, other than client computer 102, a function invocation, method call, request message, or other mode of receiving the messages and a signal that they are unauthorized. In other words, the approaches herein do not require the security device 106 to receive messages from client computer 102 directly; the security device may be configured to receive a message or programmatic request from another computing device that provides the messages.

At block 204, the process obtains a plurality of state data values from one or more of: a computing device that received the messages, the one or more messages, and/or a second computer that sent the messages. For example, block 204 may involve state data collection logic 116 obtaining data values for a system clock of security device 106, a system load on the device, a timestamp of a message, attack vector data from attack detection logic such as a severity level, values from packets associated with the messages such as source network address and/or source port value; a length in bytes of packets or messages; or any other values that can be used as a basis for a pseudo-random selection in other steps.

Block 206 indicates that the operations of subsequent blocks are performed before admitting the one or more messages to a network that is protected. At block 208, using pseudo-random selection logic, based on the state data values, a particular policy action is pseudo-randomly selected from among a plurality of different stored policy actions. For example, state data collection logic 116 provides, to pseudo-random generator 114 via policy selection logic 110, the state data values that were collected. In response, the pseudo-random generator 114 generates a pseudo-random value based upon using the state data values as a seed value input to a random number generator. The policy selection logic 110 then receives and uses the pseudo-random value as an index to select one of the message processing policies 112, or a particular message processing action from among a plurality of defined or stored message processing actions. At block 210, the one or more messages are acted upon using the particular policy action.

As a result, a particular set of input data to ingress interface 105, or obtained by the security device 106 from a programmatic call or message, may result in applying any of a plurality of different pseudo-randomly selected responsive actions based upon the state data values and the configuration of the random number generator. An attacker positioned at the client computer 102 who repeatedly presents the same data to the security device 106 will be unable to predict which responsive action will be performed, greatly reducing the ability of the attacker to correlate actions of the security device or the server computer 120 to particular attack vectors.

Referring now to the data processing process of FIG. 3, in an embodiment, at block 302 the process detects an attack represented in one or more messages received over a network and directed to a protected computing device, using an attack matching rule. For example, ingress interface 105 of security device 106 may receive a plurality of packets directed toward server computer 120 and the policy selection logic 110 or other attack evaluation logic may apply a plurality of attack matching rules of which one or more matches the packets. As indicated by block 301, the source of the messages may be data from a network reconnaissance tool that is deployed at client computer 102.

At block 304, the process may quarantine or otherwise hold the one or more messages in a buffer or other storage during evaluation of the messages.

The operations of blocks 306, 308 are optional and are described in other sections below. In some embodiments, after block 304, control proceeds to block 310 at which the process retrieves one or more state data values such as system time, system load, attack severity, and/or source network address. At block 312, using a pseudo-random function, the process determines an index value based upon the state data values. In one embodiment, the security device 106 calculates a hash value based upon run-time information including: system time on the security device; system load (percentage) on the security device; attack severity level; source IP address of client computer 102; any other numeric run-time information that can be used as random seed. Any one of the foregoing may be used, or a combination. Assuming the security device 106 has n number of defined policy actions, the resulting hash value is normalized to be within [1, n].

At block 314, the process determines, from among a set of policy actions, a particular policy action that the index value identifies. For example, the normalized hash value is used to select one policy action from among the actions shown in policy action array 320. In various embodiments, available policy actions may include two or more of: Pass the message(s) toward server computer 120; Drop the message(s) without informing client computer 102; Drop the message(s) and close the connection; Redirect the client computer 102 to an error page; Redirect the client computer 102 to a challenge page such as a CAPTCHA page; Inject an application cookie into the message stream; Block the IP address of client computer 102 by storing IP address information on the security device 106, and/or by informing other computing devices in network 104; Block an application user that is identified in the message(s); Whitelist the IP address of client computer 102; Blacklist the IP address of client computer 102; or others.

At block 318, the policy action that was selected at block 314 is applied to the one or more message(s).

Optionally at block 306 the process may determine a particular policy action that matches the attack matching rule that was matched at block 302. To facilitate this operation, each of the attack matching rules that is used at block 302 may have an associated policy action, so that matching a particular rule indicates that a particular policy action is to be performed. However, the operations of blocks 310, 312, 314 may result in not using the associated policy action but instead using a different, pseudo-randomly selected policy action.

As seen at block 316, optionally the process may write a log record. In one embodiment, the security device 106 records the original policy action and the polymorphic policy action, and saves both of them in the same security event log entries. In this context, the original policy action is the action that is determined at block 306 based upon the attack matching rule that was matched at block 302, and the polymorphic policy action is the action that was selected at block 314. Storing both the policy action associated with a matching rule, and a pseudo-randomly selected action, may provide important forensic information to review and adjust operation of the pseudo-random function or the organization of policy action array 320.

3.2 Coexistence of Regular and Polymorphic Policy Actions

In an embodiment, the polymorphic policy actions selected at block 310, 312, 314 can be implemented together with the regular deterministic policy actions determined at block 302, 306. All such actions may coexist in the same security policy. In one approach, polymorphism is indicated using a flag value that is associated with each policy rule. In this embodiment, the security device 106 performs a polymorphic policy action or a regular policy action, depending on whether the polymorphic flag exists and/or is set. TABLE 1 is an example of policy rules, policy actions, and flag values.

TABLE 1 FLAG VALUES ASSOCIATED WITH ACTIONS Number Rule Match Policy Action Flag 1 Attack match 1 Pass Polymorphic 2 Attack match 2 Drop Polymorphic 3 Attack match 3 Close None 4 Attack match 4 Redirect Polymorphic 5 Attack match 5 Redirect None 6 Attack match 6 Block source IP None

In the example of TABLE 1, policy rule 1, 2 and 4 will trigger polymorphic policy action, and the remaining policy rules will trigger regular deterministic action. As seen in FIG. 3, this action may be represented by a control operation at block 315 in which the process optionally inspects a flag value associated with a policy action and transfers control either to block 306, block 308, or block 310 depending on whether a flag value is present or set. For example, if block 302 (FIG. 3) results in matching on policy rule 1, then block 306 is skipped and the process proceeds to blocks 310, 312, 314. However, if block 302 results in matching policy rule 3, then blocks 302, 306 determine the policy action to be used, and blocks 310, 312, 314 are omitted so that control moves from block 306 to block 318.

3.3 Scheduled Polymorphic Policy Actions

In an embodiment, security device 106 is configured to implement polymorphism using a configured schedule based on a time window or other inputs. Using scheduled polymorphism has the benefit of confusing the attackers in the same manner as randomization-based polymorphism as previously described. In addition, using scheduled polymorphism provides a flexible way for IT administrators to selectively and programmatically enable policy rules.

Scheduled polymorphism may coexist with randomization-based polymorphism. In one embodiment, each policy rule is associated with a time window during which polymorphism for that rule is in effect. If a time window is defined and the system clock time at the time of processing FIG. 3 is within a defined time window, then the process applies polymorphism regardless of whether the flag value is also present and/or set. The time window option may define a specific policy action, or may enable or disable the entire policy rule. If the time window option is not present or the current system clock time is not within a defined time window, then the process applies polymorphism if the flag value is present and set. TABLE 2 provides an example.

TABLE 2 SCHEDULED POLYMORPHISM Num- Policy ber Rule Match Action Flag Time Window 1 Attack match 1 Pass Polymorphic None 2 Attack match 2 Drop Polymorphic Enabled, [9 am Apr. 1, 2014, 9 am May 1, 2014] 3 Attack match 3 Close None Enabled, Every Monday/ Tuesday 4 Attack match 4 Redirect Polymorphic Drop, [10 am Mar. 1, 2013, 1 pm Sep. 1, 2013] 5 Attack match 5 Redirect None Close, Every Thursday/ Friday 6 Attack match 6 Close Polymorphic None

Referring again to FIG. 3, in an embodiment, the process may be configured to determine at block 308 whether a system time is within a time window that is defined for a particular policy action. If the time window is not in effect, then at block 318 the policy action selected previously is used. If the time window is in effect, then control passes through the pseudo-random selection steps to result in applying polymorphism.

3.4 Implementation and Applicability

Both types of polymorphic policy actions can be implemented using the policy selection logic 110 and/or as an extension of an existing security policy action module (not shown in FIG. 1) on a security device 106. The approaches herein can be used on any security devices that perform configurable actions on attack traffic and may be particularly useful on security devices that are constantly facing the evasion challenges from advanced attackers. One benefit of the present approaches is to make evading a security device 106 dramatically harder for an attacker. Another benefit is that the approaches offer a flexible way of selectively and programmatically enabling policy rules.

4. Implementation Example—Hardware Overview

According to one embodiment, the techniques described herein are implemented by one or more special-purpose computing devices. The special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques. The special-purpose computing devices may be desktop computer systems, portable computer systems, handheld devices, networking devices or any other device that incorporates hard-wired and/or program logic to implement the techniques.

For example, FIG. 4 is a block diagram that illustrates a computer system 400 upon which an embodiment of the invention may be implemented. Computer system 400 includes a bus 402 or other communication mechanism for communicating information, and a hardware processor 404 coupled with bus 402 for processing information. Hardware processor 404 may be, for example, a general purpose microprocessor.

Computer system 400 also includes a main memory 406, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 402 for storing information and instructions to be executed by processor 404. Main memory 406 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 404. Such instructions, when stored in non-transitory storage media accessible to processor 404, render computer system 400 into a special-purpose machine that is customized to perform the operations specified in the instructions.

Computer system 400 further includes a read only memory (ROM) 408 or other static storage device coupled to bus 402 for storing static information and instructions for processor 404. A storage device 410, such as a magnetic disk, optical disk, or solid-state drive is provided and coupled to bus 402 for storing information and instructions.

Computer system 400 may be coupled via bus 402 to a display 412, such as a cathode ray tube (CRT), for displaying information to a computer user. An input device 414, including alphanumeric and other keys, is coupled to bus 402 for communicating information and command selections to processor 404. Another type of user input device is cursor control 416, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 404 and for controlling cursor movement on display 412. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.

Computer system 400 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 400 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 400 in response to processor 404 executing one or more sequences of one or more instructions contained in main memory 406. Such instructions may be read into main memory 406 from another storage medium, such as storage device 410. Execution of the sequences of instructions contained in main memory 406 causes processor 404 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.

The term “storage media” as used herein refers to any non-transitory media that store data and/or instructions that cause a machine to operate in a specific fashion. Such storage media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical disks, magnetic disks, or solid-state drives, such as storage device 410. Volatile media includes dynamic memory, such as main memory 406. Common forms of storage media include, for example, a floppy disk, a flexible disk, hard disk, solid-state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.

Storage media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between storage media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 402. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.

Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 404 for execution. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 400 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 402. Bus 402 carries the data to main memory 406, from which processor 404 retrieves and executes the instructions. The instructions received by main memory 406 may optionally be stored on storage device 410 either before or after execution by processor 404.

Computer system 400 also includes a communication interface 418 coupled to bus 402. Communication interface 418 provides a two-way data communication coupling to a network link 420 that is connected to a local network 422. For example, communication interface 418 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 418 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, communication interface 418 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.

Network link 420 typically provides data communication through one or more networks to other data devices. For example, network link 420 may provide a connection through local network 422 to a host computer 424 or to data equipment operated by an Internet Service Provider (ISP) 426. ISP 426 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 428. Local network 422 and Internet 428 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 420 and through communication interface 418, which carry the digital data to and from computer system 400, are example forms of transmission media.

Computer system 400 can send messages and receive data, including program code, through the network(s), network link 420 and communication interface 418. In the Internet example, a server 430 might transmit a requested code for an application program through Internet 428, ISP 426, local network 422 and communication interface 418.

The received code may be executed by processor 404 as it is received, and/or stored in storage device 410, or other non-volatile storage for later execution.

Embodiments also encompass the subject matter of the following numbered clauses:

10. An electronic digital network security device comprises one or more processors; one or more first network interfaces that are configured to couple to a client computer; one or more second network interfaces that are coupled to a server computer that the security device is configured to protect from attack; one or more non-transitory computer-readable storage media coupled to the one or more processors and storing one or more sequences of instructions which when executed by the one or more processors cause performing: receiving one or more messages that are determined as unauthorized; obtaining a plurality of state data values from one or more of the security device, the one or more messages, and a second computer; before providing the one or more messages to the server computer: using pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; acting upon the one or more messages using the particular policy action.

11. The device of clause 10 wherein the plurality of different policy actions comprises any two or more of: pass, drop request, drop request and close connection, redirect to an error page, inject cookie, block network address, block application user, blacklist network address.

12. The device of clause 10 wherein the plurality of data values comprise any two or more of: system time on the computing device; system load on the computing device; attack severity level; source network address.

13. The device of clause 10, wherein the storage media further comprise sequences of instructions which when executed cause performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data.

14. The device of clause 10 wherein the state data values comprise one or more attributes of the one or more messages, and one or more operating values indicating operating characteristics of the computing device.

15. The device of clause 10, wherein the storage media further comprise sequences of instructions which when executed cause: using hash value generating logic, generating a hash value that is based upon the state data values; using the pseudo-random selection logic, using the hash value as an index into a list of stored different policy actions, pseudo-randomly selecting a particular policy action from among the plurality of policy actions.

16. The device of clause 10, wherein the storage media further comprise sequences of instructions which when executed cause: determining that the state data values match a particular policy rule from among a plurality of different policy rules; determining that the particular policy rule is marked for polymorphic treatment; using the pseudo-random selection logic, performing the pseudo-randomly selecting using a particular policy action that corresponds to the particular policy rule and a second particular policy action.

17. The device of clause 10, wherein the storage media further comprise sequences of instructions which when executed cause performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment.

18. The device of clause 10, wherein the storage media further comprise sequences of instructions which when executed cause: performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data; performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment.

19. A data processing method comprising: using an electronic digital security device, detecting an attack represented in one or more messages received at the security device; before admitting the one or more messages to a network that the security device protects, obtaining one or more first data values relating to then-current state of the security device, and one or more second data values from the one or more messages; using a pseudo-random mapping function, pseudo-randomly mapping a combination of the first data values and the second data values to a particular policy action from among a plurality of policy actions; applying the particular policy action to the one or more messages.

20. The method of clause 19 wherein the plurality of different policy actions comprise any two or more of: pass, drop request, drop request and close connection, redirect to an error page, inject cookie, block network address, block application user, whitelist network address, blacklist network address.

21. The method of clause 19 further comprising: performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data.

22. The method of clause 19 comprising: using hash value generating logic, generating a hash value that is based upon the first data values and the second data values; using the pseudo-random selection logic, using the hash value as an index into a list of stored different policy actions, pseudo-randomly selecting a particular policy action from among the plurality of policy actions.

23. The method of clause 19 further comprising performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment.

24. The method of clause 19 further comprising: performing the pseudo-randomly selecting only during a particular limited time period that is defined in stored schedule data; performing the pseudo-randomly selecting only from among a subset of the plurality of different policy actions that include a marking specifying polymorphic treatment.

In the foregoing specification, embodiments of the invention have been described with reference to numerous specific details that may vary from implementation to implementation. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. The sole and exclusive indicator of the scope of the invention, and what is intended by the applicants to be the scope of the invention, is the literal and equivalent scope of the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction. 

What is claimed is:
 1. A method of improving the security of a computing device, comprising: using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of: the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: determining that the plurality of state data values match a particular policy rule from among a plurality of different policy rules; determining that the particular policy rule is associated with a first particular policy action; determining that the particular policy rule is marked for polymorphic treatment; using the computing device and pseudo-random selection logic, based on the plurality of state data values, pseudo-randomly selecting a second particular policy action from among a plurality of different stored policy actions, wherein each of the plurality of different stored policy actions defines a different procedure to follow once an attack has been identified; using the computing device, acting upon the one or more messages using the first particular policy action and the second particular policy action.
 2. The method of claim 1, wherein the plurality of different stored policy actions comprise any two or more of: pass, drop request, drop request and close connection, redirect to an error page, inject cookie, inject one or more fields within a payload, block network address, block application user, blacklist network address.
 3. The method of claim wherein the plurality of state data values comprise any two or more of: system time on the computing device; system load on the computing device; attack severity level; source network address.
 4. The method of claim 1, wherein the plurality of state data values comprise one or more attributes of the one or more messages, and one or more operating values indicating operating characteristics of the computing device.
 5. The method of claim 1, comprising: using hash value generating logic, generating a hash value that is based upon the plurality of state data values; wherein pseudo-randomly selecting the second particular policy action is based on the hash value.
 6. The method of claim 1 wherein the second particular policy action is selected from among a subset of the plurality of different stored policy actions that include a marking specifying polymorphic treatment.
 7. The method of claim 1 further comprising: determining whether a particular time is within a particular limited time period; wherein pseudo-randomly selecting the second particular policy action is performed in response to determining that the particular time is within the particular limited time period.
 8. An electronic digital network security device having improved security comprising: one or more processors; one or more first network interfaces that are configured to couple to a client computer; one or more second network interfaces that are coupled to a server computer that the security device is configured to protect from attack; one or more non-transitory computer-readable storage media coupled to the one or more processors and storing one or more sequences of instructions which when executed by the one or more processors cause performing: receiving one or more messages that are determined as unauthorized; obtaining a plurality of state data values from one or more of the security device, the one or more messages, and a second computer; before providing the one or more messages to the server computer: determining that the plurality of state data values match a particular policy rule from among a plurality of different policy rules; determining that the particular policy rule is associated with a first particular policy action; determining that the particular policy rule is marked for polymorphic treatment; using pseudo-random selection logic, based on the plurality of state data values, pseudo-randomly selecting a second particular policy action from among a plurality of different stored policy actions, wherein each of the plurality of different stored policy actions defines a different procedure to follow once an attack has been identified; acting upon the one or more messages using the first particular policy action and the second particular policy action.
 9. The device of claim 8, wherein the plurality of different stored policy actions comprise any two or more of: pass, drop request, drop request and close connection, redirect to an error page, inject cookie, block network address, block application user, whitelist network address, blacklist network address.
 10. The device of claim 8, wherein the plurality of state data values comprise any two or more of: system time on the device; system load on the device; attack severity level; source network address.
 11. The device of claim 8, wherein the plurality of state data values comprise one or more attributes of the one or more messages, and one or more operating values indicating operating characteristics of the device.
 12. The device of claim 8, wherein the storage media further comprise sequences of instructions which when executed by the one or more processors cause performing: using hash value generating logic, generating a hash value that is based upon the plurality of state data values; wherein pseudo-randomly selecting the second particular policy action is based on the hash value.
 13. The device of claim 8, wherein the second particular policy action is selected from among a subset of the plurality of different stored policy actions that include a marking specifying polymorphic treatment.
 14. The device of claim 8, wherein the storage media further comprise sequences of instructions which when executed by the one or more processors cause performing: determining whether a particular time is within a particular limited time period; wherein pseudo-randomly selecting the second particular policy action is performed in response to determining that the particular time is within the particular limited time period. 